SOA Web service security

A simple way of protecting web-services from unauthorized access is to use standard WS security. Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.

Oracle SOA suite 11g/12c provides an out of the box WS-Policies to protect web-services and to securely call a protected web service. In this article I'll show you how to do this.

How to protect a web-service with username and password

• Open the composite.xml
• Right Click on the exposed services and click Configure SOA WS policies..

• Under Security click on the + button
• Scroll down and select oracle/wss_username_token_service_policy and then OK

• Now deploy and test. Very simple, isn't it?
• For OSB, the same option is available on the proxy services.
• To test this webservice WSSE header has to be passed with username and password
• Please note that the username/password should be defined in the weblogic server. Refer the section below to learn how to create weblogic user.

Example webservice call:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:bpel="http://xmlns.oracle.com/TestMDSApplication/Project2/BPELProcess1">

   <soapenv:Header>

      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

            <wsse:Username>weblogic</wsse:Username>

            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome1</wsse:Password>

         </wsse:UsernameToken>

      </wsse:Security>

   </soapenv:Header>

   <soapenv:Body>

      <bpel:process>

         <bpel:input>as</bpel:input>

      </bpel:process>

   </soapenv:Body>

</soapenv:Envelope>

How to call a protected web-service

Now that we protected the service from unauthorized access, how do we call it from another webservice?

• Open the composite.xml
• Right Click on the external reference and click Configure SOA WS policies..
• Under Security click on the + button
• Scroll down and select oracle/wss_username_token_client_policy and then OK
• For OSB, same option is available on the business-services.
• Username and password to be passed to the service should be configured as KEYS in EM console > security credentials section. Refer next section to learn how to do that
• The configured key has to be entered in the csf-key property in the Reference tag in the composite.xml as highlighted below.

composite.xml

<reference name="asyncProc"

             ui:wsdlLocation="http://localhost:7101/soa-infra/services/testing/AsyncProcess!1.0/WSDLs/AsyncBPELProcess.wsdl">

    <interface.wsdl interface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcess)"/>

    <binding.ws port="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.endpoint(asyncbpelprocess_client_ep/AsyncBPELProcess_pt)"

                location="http://localhost:7101/soa-infra/services/testing/AsyncProcess/asyncbpelprocess_client_ep?WSDL"

                soapVersion="1.1">

      <property name="weblogic.wsee.wsat.transaction.flowOption" type="xs:string" many="false">WSDLDriven</property>

      <property name="csf-key" type="xs:string" many="false">TestKey</property>

    </binding.ws>

  </reference>

How to configure keys in Weblogic server

• Log on to weblogic em console
• Right click on Weblogic Domain > Default Domain
• Click on Security > Credentials 
• Create a new map (oracle.wsm.security)and create a key under oracle.wsm.security
• I think the map name has to oracle.wsm.security

How to create an user in Weblogic server

This is a very simple configuration where there are no external identity stores are configured with weblogic server (like OID or MS Active directory)

• Go to Weblogic Console home > Security Realms > myrealm
• Click on Users and Groups tab
• Click on New button and enter username/password details.